From 59a1281c6bf8fa68ef46716293f5524e94450a2c Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Sun, 21 Apr 2024 21:54:55 -0500 Subject: [PATCH 1/3] fix(DSR): setup DSR inside pod on local eps only Only attempt to setup DSR inside containers for local endpoints. Setting up DSR inside the containers network namespace requires local pods / endpoints. --- pkg/controllers/proxy/service_endpoints_sync.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/controllers/proxy/service_endpoints_sync.go b/pkg/controllers/proxy/service_endpoints_sync.go index 057469bc8..bfbc7fbfb 100644 --- a/pkg/controllers/proxy/service_endpoints_sync.go +++ b/pkg/controllers/proxy/service_endpoints_sync.go @@ -564,9 +564,13 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svc *serviceI endpoint.ip, externalIP, err) } - // add the external IP to a virtual interface inside the pod so that the pod can receive it - if err = nsc.addDSRIPInsidePodNetNamespace(externalIP.String(), endpoint.ip); err != nil { - return fmt.Errorf("unable to setup DSR receiver inside pod: %v", err) + // It's only for local endpoints that we can enter the container's namespace and add DSR receivers inside it. + // If we aren't local, then we should skip this step so that we don't accidentally throw an error. + if endpoint.isLocal { + // add the external IP to a virtual interface inside the pod so that the pod can receive it + if err = nsc.addDSRIPInsidePodNetNamespace(externalIP.String(), endpoint.ip); err != nil { + return fmt.Errorf("unable to setup DSR receiver inside pod: %v", err) + } } svcEndpointMap[externalIPServiceID] = append(svcEndpointMap[externalIPServiceID], From 1f0a2cfc4dded644ada4ca82a139176d05303c59 Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Wed, 24 Apr 2024 17:43:45 -0500 Subject: [PATCH 2/3] fix(service_endpoints_sync.go): error to be indicative of failure type --- pkg/controllers/proxy/service_endpoints_sync.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controllers/proxy/service_endpoints_sync.go b/pkg/controllers/proxy/service_endpoints_sync.go index bfbc7fbfb..0d3ecf591 100644 --- a/pkg/controllers/proxy/service_endpoints_sync.go +++ b/pkg/controllers/proxy/service_endpoints_sync.go @@ -476,7 +476,7 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svc *serviceI dummyVipInterface, err := nsc.ln.getKubeDummyInterface() if err != nil { - return errors.New("Failed creating dummy interface: " + err.Error()) + return errors.New("Failed getting dummy interface: " + err.Error()) } ipvsSvcs, err := nsc.ln.ipvsGetServices() From e3c0f3ba4aa182b51bbb6c365405084c76579277 Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Wed, 24 Apr 2024 17:44:07 -0500 Subject: [PATCH 3/3] feat(NSC): ensure rp_filter is set correctly rp_filter on RedHat based OS's is often set to 1 instead of 2 which is more permissive and allows the outbound route for traffic to differ from the route of incoming traffic. --- .../proxy/network_services_controller.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go index 3173c21dd..039c92d0b 100644 --- a/pkg/controllers/proxy/network_services_controller.go +++ b/pkg/controllers/proxy/network_services_controller.go @@ -289,6 +289,20 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control // https://github.com/kubernetes/kubernetes/pull/70530/files setSysCtlAndCheckError(utils.IPv4ConfAllArpAnnounce, arpAnnounceUseBestLocalAddress) + // Ensure rp_filter=2 for DSR capability, see: + // * https://access.redhat.com/solutions/53031 + // * https://github.com/cloudnativelabs/kube-router/pull/1651#issuecomment-2072851683 + if nsc.isIPv4Capable { + sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 2) + if sysctlErr != nil { + if sysctlErr.IsFatal() { + klog.Fatal(sysctlErr.Error()) + } else { + klog.Error(sysctlErr.Error()) + } + } + } + // https://github.com/cloudnativelabs/kube-router/issues/282 err = nsc.setupIpvsFirewall() if err != nil {